6 Replies Latest reply on Sep 22, 2015 2:53 PM by TheVMinator

    SAN Zoning, masking and compliance

    TheVMinator Master

      How should SAN fabric Zoning and masking be approached, if compliance with standards like HIPAA, SOX, FISMA is in view?

      Which of these issues are at stake?

       

      1.  Zone and mask ESXi hosts that are in scope of compliance so that ESXi hosts that are not in scope are in separate zones?

      2.  Use more granular and stricter zoning and masking in general, to demonstrate stricter standards if the infrastructure design is audited, so that each ESXI host has its own zone, or each ESXi cluster has its own zone, even inside the scope area for compliance?

       

      How should I think about Zoning and masking from a compliance perspective?

       

      Thanks!

        • 1. Re: SAN Zoning, masking and compliance
          Texiwill Guru
          User ModeratorsvExpert

          Hello,

           

          There are two types of stores for data, those only the vSphere Hosts can see, and those the VMs can see.

           

          Now a VM should NEVER be able to see those LUNs (stores) a vSphere Host can see and visa versa. So ensure your zoning/masking is appropriate.

           

          Now if a cluster of vSphere hosts is dedicated to HIPAA, SOX, etc. Then zoning is also appropriate so that that cluster sees only the appropriate LUNs. but if the cluster is NOT dedicated (which it really does not need to be), then you should not employ zoning or masking to ensure separation as it just does not help.

           

          I would tag the VM, tag the LUN, tag the network as being for PCI or HIPAA or whatever and employ HyTrust, Catbird vSecurity, etc to ensure that workloads do not appear on the inappropriate LUNs, Networks, etc.

           

          Physical separation is fine but it also can waste quite a bit of resources when in reality, a vSphere host has minimally 4 trust zones already within it. The VM workload is just one of those trustzones: Management, FT, vMotion, Storage, Workload PCI, Workload HIPAA, etc. To make the best use employ the appropriate tool to manage those zones. Since a host already has 4 trust zones, perhaps more, it is inappropriate to think that physical separation is all that is required.

           

          Best regards,
          Edward L. Haletky
          VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

          Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

          Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

          1 person found this helpful
          • 2. Re: SAN Zoning, masking and compliance
            TheVMinator Master

            OK thanks - this is great input.  I think the one thing here that I take away is that compliance is concerned about how the VM is isolated or not isolated, and the trust zones relative the virtual machine.  It is not concerned about how SAN Fabric is designed.  For example, if you are a SAN architect, you think about best security practices for how you design your SAN fabric, etc. and some best security practices that you try to work towards in your storage design no matter what happens at the virtualization layer.  Am I correct in saying that HIPAA auditors don't care about that kind of SAN infrastructure design security, they are looking at it from the perspective of the virtual machine workload and the data in the VM?

            • 3. Re: SAN Zoning, masking and compliance
              Texiwill Guru
              vExpertUser Moderators

              Hello,

               

              To meet compliance the architecture and security of your SAN, Virtual Environment, Workloads, applications, networks, security all have to be working together and not designed separately. So I would say that yes what happens at the SAN level and how it integrates into the virtual environment and the security of that in conjunction with the workloads and networks in use does matter. You cannot properly secure the virtual environment if you apply security in silos. It is a team effort. It is those connection points that really make the difference and become part of the attack surface.

               

              HIPAA AUditors (any compliance auditor) should be looking at everything in scope, which is everything that indirectly or directly touches the workload in question. So VMs + SAN I would say is in scope. But what I would do is talk to the auditors find out their thoughts on scope and work from that. You may find that first you have to educate the auditors about a cloud infrastructure before they can understand the complexity and controls you have in place.

               

              Best regards,
              Edward L. Haletky
              VMware Communities User Moderator, VMware vExpert 2009-2015

              Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

              Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

              1 person found this helpful
              • 4. Re: SAN Zoning, masking and compliance
                TheVMinator Master

                OK great.  In reference to your first reply also, you said you don't think separate clusters are required for HIPAA.  So if I have a VM tagged for HIPAA, and the trust zone separation is managed by HyTrust, where does it need to be separated?

                 

                Does it need to be on a separate datastore from non-HIPAA VMs?  Can they be on the same datastore also?

                • 5. Re: SAN Zoning, masking and compliance
                  Texiwill Guru
                  vExpertUser Moderators

                  Hello,

                   

                  If you are encrypting the data within the VM then separate datastores are not really required, however, you may want to use separate datastores for HIPAA data just to keep things simpler for audits. If it was me, I would keep them separate, it will make compliance audits a whole lot easier and remove non-HIPAA VMs from a scope of the audit. In HyTrust I would set up a HIPAA tag on the VM, the virtual networks in use, and the datastores. This way I can have a clean audit.

                   

                  Technically speaking, it really depends on where you encrypt your HIPAA data. Practically speaking, for HIPAA it is all about the audit. Make the audit easier, but do not waste resources in doing so. Compute can be shared (you may have to disable TPS or get the latest TPS fixes however.)

                   

                  Best regards,
                  Edward L. Haletky
                  VMware Communities User Moderator, VMware vExpert 2009-2015

                  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

                  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

                  • 6. Re: SAN Zoning, masking and compliance
                    TheVMinator Master

                    OK thanks again